CVE-2026-55967
Undergoing Analysis Undergoing Analysis - In Progress
AES-GCM Counter Wrap in wolfSSL Streaming API

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: wolfSSL Inc.

Description
AES-GCM encryption/decryption with extremely large cumulative single message sizes (>64 GiB) were not properly rejected by the streaming APIs, allowing counter wrap, keystream reuse, and consequent plaintext recovery.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-55967
EUVD
EUVD-2026-39493
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wolfssl wolfssl to 5.9.1 (exc)
wolfssl wolfssl 5.9.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-323 Nonces should be used for the present occasion and only once.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the AES-GCM encryption and decryption processes when handling extremely large single message sizes greater than 64 GiB. The streaming APIs did not properly reject these large sizes, which allowed the encryption counter to wrap around. This counter wrap leads to keystream reuse, which can result in the recovery of plaintext data by an attacker.

The issue was fixed by adding error handling in wolfSSL's AES functions to detect and prevent input lengths that exceed safe limits, thereby avoiding buffer overflows and undefined behavior.

Impact Analysis

If exploited, this vulnerability can allow an attacker to recover plaintext data from encrypted communications by causing the encryption counter to wrap and reuse the keystream. This compromises the confidentiality of the encrypted data, potentially exposing sensitive information.

Detection Guidance

This vulnerability involves improper handling of extremely large cumulative single message sizes in AES-GCM encryption/decryption streaming APIs, which can lead to counter wrap and keystream reuse.

Detection would require monitoring or auditing the use of AES-GCM encryption/decryption functions, specifically looking for unusually large input lengths exceeding 64 GiB in calls to functions like wc_AesGcmEncryptUpdate() and wc_AesGcmDecryptUpdate().

Since the vulnerability is related to internal API usage and length overflow, there are no direct network commands or simple system commands to detect exploitation.

It is recommended to review application logs or enable debugging in wolfSSL to detect error messages related to AES_GCM_OVERFLOW_E or AES_CCM_OVERFLOW_E, which indicate attempts to process oversized inputs.

Mitigation Strategies

The primary mitigation step is to update the wolfSSL library to version 5.9.2 or later, which includes the fix for this vulnerability.

This update introduces proper error handling for total length overflows in AES-GCM and AES-CCM encryption/decryption functions, preventing counter wrap and keystream reuse.

Additionally, review your application to ensure it does not process AES-GCM or AES-CCM messages with cumulative sizes exceeding safe limits (greater than 64 GiB).

Enable or monitor error logging for AES_GCM_OVERFLOW_E and AES_CCM_OVERFLOW_E to detect and prevent attempts to exploit this issue.

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-55967 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55967. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart